Monday, November 22, 2021

Cisco SDWAN CoR FAQ

 

Q.Where can i find the CVD for Cloud on-ramp for IaaS for Azure?

 

A. It was published through the following link:
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-cloud-onramp-iaas-azure-deploy...

 

Q.Where can i find the CVD for Cloud on-ramp for IaaS for AWS?


A.It was published through the following link:

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/Cisco_Cloud_onRamp_for_IaaS_AWS_Version2.p... 

at No comments:

CISCO SD-WAN Software Upgrade Best practices

 

Sofware Upgrade Best Practices

 

This document will explain the steps and best practices for upgrading Cisco SD-WAN.

 

Using the link below, use the compatibility matrix embedded in the release notes to verify the version of the controllers (vManage, vBond, vSmart, and WAN Edges) or you can go to the SDWAN compatibility matrix webpage.

SD-WAN Release Notes https://www.cisco.com/c/en/us/support/routers/sd-wan/products-release-notes-list.html

SD-WAN Compatibility Matrix https://www.cisco.com/c/en/us/solutions/enterprise-networks/sd-wan/compatibility-matrix.html

 

As an example, if the controllers are running on release 19.3.x, the Edge devices should be running on the following versions 18.4, 19.2, 19.3. See below

 

1.PNG

 

Important: Controller versions must follow the compatibility matrix to avoid operational issues.

 

Important Links for Software Upgrades

 

Cisco SD-WAN Upgrade

To upgrade the software running on the devices in the overlay network, download the new software packages from the Cisco SD-WAN website.

Visit the following link and select your hardware to validate the available releases, https://www.cisco.com/c/en/us/support/routers/index.html

Additionally you can go directly to the Software Download Center and download the available releases https://software.cisco.com/download/home/282770988

 

Important Prerequisites:

  • Controllers and WAN Edge devices should be upgraded in the following order:
  1. vManage
  2. vBond
  3. vSmart
  4. WAN Edge

 

  • Download the new software packages from the Cisco SD-WAN website before upgrading the software running on the devices in the overlay network
  • Collect a vManage configuration-db backup before the upgrade. This is in addition to your daily VM (Virtual Machine) snapshot for the vManage
  • Upgrade the software from the vManage NMS GUI rather than from the CLI
    • The Upgrade task pushes new software to the SD-WAN device and installs it on the file system.  It does not change the code or impact the device.  This task can be done ahead of the software activation maintenance window to optimize change control time.
    • For a special vManage cluster configuration where tunnel-interface is not configured on VPN 0 and the vManage isn’t managing any WAN Edges, then you must perform the upgrade of all vManages through CLI instead of through GUI. This type of configuration is used when vManage nodes in a cluster have some dedicated services running. Refer to “Upgrading the cluster" section in the following document for upgrading these type of cluster deployments: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/sd-wan/white-paper-c11-74...
  • When upgrading the software image on a remote vManage NMS, the overlay network must be operational
  • If the new software images are in the image repository on the vManage NMS, ensure that the WAN in which the vManage NMS is located has sufficient capacity for concurrent file transfers.
  • If the new software images are located on an external FTP server, ensure the FTP server can handle concurrent file transfers
  • You cannot include the vManage NMS in a group software upgrade operation. You must upgrade and reboot the vManage server individually in the vManage Software Upgrade tab.
  • vSmart and vBond controllers must be upgraded separately in the Controllers tab in the vManage Software Upgrade tab.
  • Be sure to activate a software image before setting it to the default software image.

Steps for Upgrading SD-WAN

To upgrade all devices in the overlay network, perform the upgrade in the following order:

  1. Add new software to the image repository of vManage or external FTP server if applicable
  2. Upgrade the vManage NMS(s).  Then activate the new code on vManage NMS
  3. Upgrade one-half the vBond orchestrators.   Then activate the new code on one-half the vBond orchestrators and validate vBond function on new code.
  4. Upgrade the remainder of the vBond orchestrators.
  5. Upgrade one-half of the vSmart controllers.  Then activate the new code on one-half the vSmart Controllers and validate vSmart function on new code.
  6. Upgrade the remainder of the vSmart controllers.
  7. Upgrade 10% of the WAN Edge routers. For multi-router sites, it’s recommended to limit upgrades to one router per site. A recommended plan of action would be to upgrade Production test device(s), low risk sites, medium risk sites, then high risk sites.
  8. Validate WAN Edge function of the network services after code upgrade.
  9. Upgrade the remainder of WAN Edge routers.

Frequently Asked Questions (FAQs)

 

Q: How often should I upgrade?

A:  With each new version of code comes multiple bug fixes that improve product quality. The release notes contain all bug fixes that came in with that release. Release code versions 18.3 and older are now End-of-Sale and End-of-Life per the following notice: https://www.cisco.com/c/en/us/products/collateral/routers/sd-wan/eos-eol-notice-c51-743306.html

 

Q: If I am running a Deferred release will my network be impacted?

A: Yes, running a deferred release is not recommended and can cause that device has an abnormal behavior caused by a software defect.

The latest versions are located in the Software Download Center: https://software.cisco.com/download/home/282770988

 

Q: Is it only vManage that I need to upgrade?

A: No, you will need to upgrade the suite of controllers in the following manner: 1) vManage 2) vBond 3) vSmart. This is documented in the following link in the section entitled Best Practices for Software Upgrades:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/hardware-and-soft...

Upgrading Cisco IOS XE Devices video: https://www.youtube.com/watch?v=qugfIlEmSEM

 

Q: Will I run into issues when upgrading vControllers (vBond, vSmart, vManage) from certain versions?

A: Yes! It is important to consider the upgrade path based upon your current controller version along with which version you will be upgrading to. The reason for this is because of schema changes in the database when upgrading to a version that is a major code release. Refer to the following upgrade path below:

17.1.x  > 18.3.8 18.4.4

17.2.x- > 18.4.4

 

Note: From version 18.4.x you can upgrade to any other Cisco Release without mid steps

 

 

Q:  Will I run into issues when upgrading vEdges from certain versions?

A: No, vEdges can be upgraded straight from version to version. please consider the compatibility matrix for the right match

 

Q:  Will I run into issues when upgrading cEdges from certain versions?

A: No, cEdges can be upgraded straight from version to version. please consider the compatibility matrix for the right match

 

 

Q: Should I consider my Edge device version compared to my controller version?

A: Yes, you should always follow the Compatibility Matrix provided in the release notes for each version. You never want your Edge device version to be higher than the controller version in your environment. For example, in the Compatibility Matrix section of the release notes below, you’ll see the following:

18.3 controllers > 18.3 vEdge and 16.9 XE SDWAN

18.4 controllers > 18.4 vEdge and 16.10 XE SDWAN

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/release/notes/xe-16-10-18-4/sd-wan-rel-notes-xe-...

 

Q: Should I consider my Edge device version compared to my controller version?

A: Yes, you should always follow the Compatibility Matrix provided in the release notes for each version. You never want your Edge device version to be higher than the controller version in your environment. For example, in the Compatibility Matrix section of the release notes below, you’ll see the following:

 

Q: What is the process to upgrade ISR4000 to SD-WAN?

A: The upgrade process is explained in the YouTube video below:

https://www.youtube.com/watch?v=qugfIlEmSEM

 

Additional information is available at:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/hardware-and-soft...

 

Q: Do I need specific hardware to install SD WAN software?

A: Yes, not all Cisco routers support SD-WAN software.

You can do the migration from traditional IOS-XE to IOS-XE SD WAN software on the following devices,

ISR1000

ISR4000

ASR1000

Cat 8000

For example, SD-WAN is not supported on CISCO 2900 or 3900 series.

at No comments:

Tuesday, November 16, 2021

Cisco SD-WAN: cEdge/vEdge NAT Tracker

 Ok so let’s get on with a lab around the NAT Tracker with DIA. The configuration for this is fairly simple (this is becoming a trend in SD-WAN!), so not too much to do. Cisco documentation will point you towards using templates for your task, but I am going to do this from the CLI.

There are 2 building blocks:

  1. Setup system tracker
  2. Apply to VPN0 NAT interface

System Tracker

Configured system tracker to http://www.google.co.uk

You have 2 options here for the endpoint of the IP or DNS name. If using DNS then be sure you have a DNS server configured within VPN0 where this applies:

Using 8.8.8.8 for DNS

Apply to VPN0 NAT Interface

tracker applied to ge0/1 in VPN0 – this being the NAT interface

Verify

This actually wasn’t obvious to work how you verify if the tracker is up or down. This was the best I could do:

Tracker is UP

So let’s cause an outage and break the connectivity from vEdge10 to the tracker endpoint – http://www.google.co.uk:80 – HTTP. The easiest way is stop the Internet interface on the WAN router towards EVE-NG:

Shut Gi0/3 on the WAN router, therefore breaking Internet access for vEdge10
Gi0/3 now shut

How does the tracker look on vEdge10?

Sure enough it is down

The expectation now is that the Internet traffic will route via the IPsec overlay, but really this depends on how you want the traffic to flow. In my lab there is no true backup way to the Internet via the MPLS transport. With more I could setup another Internet Gateway within the MPLS transport, but maybe some other time! I am happy with the concept and lab so far. 🙂 More on this below…

One last thing… timers! At a 1st glance the timers involved with the tracker seem confusing, so let’s break them down and be clear.

The 3 items we have when it comes to timers

Here is an extract from Cisco documentation:

ThresholdHow long to wait for the probe to return a response before declaring that the transport interface is down. Range: 100 through 1000 milliseconds Default: 300 milliseconds
IntervalHow often probes are sent to determine the status of the transport interface. Range: 10 through 600 seconds Default: 60 seconds (1 minute)
MultiplierNumber of times to resend probes before declaring that the transport interface is down. Range: 1 through 10 Default: 3
Summary of these terms and default values from Cisco documentation
  • In my lab I have setup:
    • Threshold / How long to wait for the probe?
      • Left at default of 300ms
    • Interval / How often to send a probe?
      • Custom value of 10 seconds
    • Multiplier / Number of times to resend a probe before deciding it is down
      • (A bit like a dead timer in OSPF?) Left at default of 3 attempts

So based on the above, in my lab if there is a Tracker based failover, this would probe every 10 seconds, in the event of a failed probe it will wait 300ms to declare it a failure, then it will attempt this 3 times, therefore a total of 30 seconds + 300ms x 3, (so just shy of 31 seconds) will pass before there is a failover. Timers are always a headache with everything networking! 😛

DIA Failover to MPLS

Let’s go back to the failover of our biz-internet transport and how we would route internet traffic via the mpls transport.

We know that creating an outage between vEdge10 and http://www.google.co.uk does ‘kick in’ as in we see the tracker go down, but we haven’t tested or looked at this anymore that that.

Fallback Option

This is a simple ‘on and off’ switch on the policy, there is however an order of operation to traffic flow / routing.

Order of operations
  1. Ingress ACL
  2. Application Aware Routing
  3. Centralized Policy (With Fallback enabled, we actually ignore this step and therefore hit step 4 – the route table.. so can you guess… we will need a route!)
  4. Routing and Forwarding

Configuration Steps

  1. Restriction of color at HQ site to avoid any complications
  2. We need a default route within the VPN on the HQ vEdge to be advertised via OMP to other vEdge devices in the relevant VPN
    1. This will send traffic via mpls to specific site like a DC that will have an Internet breakout / this could be a firewall for example and then off to the internet via the firewall
    2. Add a static route within OMP to the HQ vEdge itself
  3. Adjust NAT policy (edit existing DIA policy)
    1. On top of the Fallback option in the Sequence Rule, add a Local TLOC that is preferred – ‘biz-internet’
'show policy service-path vpn x interface ge0/x source-ip x.x.x.x dest-ip x.x.x.x protocol 1 all'

Which policy is being preferred? Break biz-internet and then re-run the command, it should show the mpls / site 60 next hop (courtesy of the default route) instead of ‘biz-internet’.

the blog from the link:

https://ccieme.wordpress.com/2021/02/12/sd-wan-nat-tracker-lab/


complement:

NAT tracker by HTTP/HTTPS(TCP/80 or 443), not by ICMP, so you cannot tracker your up link if the 

router didnot open the https/http server. cEdge support the NAT tracker at 17.3.1 version or later. the older version did not support the feature.


at No comments:
Subscribe to: Posts (Atom)